AAD Sign In Activity Details: Getting the Result Details
Hello, I've spent hours figuring out how to write a script using the "Get-MgAuditLogSignIn" to create a report showing which sign-in events had a "Result detail" of "Correct password" that occurred outside a set of predefined locations for all users in the last 24 hours. The concept is to be able to run this script daily to check which users may have had a guessed password from someone outside a series of predefined locations. The screenshot below communicates, in a different way, what info I want pulled for each user. The basic script I'm running revolves around this generally: # Set PowerShell execution policy Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser # Install the Microsoft Graph PowerShell Package for Reports Install-Module Microsoft.Graph.Reports # Verify Microsoft Graph was Installed Get-InstalledModule Microsoft.Graph # Sign in with the required permissions to use the "Get-MgAuditLogSignIn" cmdlet Connect-MgGraph -Scopes "AuditLog.Read.All", "Directory.Read.All" # Then some type of filtering using "Get-MgAuditLogSignIn" # When done, sign out of Microsoft Graph Disconnect-MgGraph The hope is to have a script that produces the name, email, time, location, and "correct password"/Result detail for each user in the last 24 hours in a table format. Any feedback would be greatly appreciated. Here are some of the sources I've tried: https://learn.microsoft.com/en-us/graph/aad-advanced-queries?tabs=powershell https://learn.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0-preview https://learn.microsoft.com/en-us/answers/questions/1098591/export-authentication-details-from-azure-sign-in-l https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadauditsigninlogs?view=azureadps-2.0-preview https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.reports/get-mgauditlogsignin?view=graph-powershell-1.0 https://learn.microsoft.com/en-us/powershell/microsoftgraph/get-started?toc=%2Fgraph%2Ftoc.json&view=graph-powershell-1.0 https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/get-mguserauthenticationmethod?view=graph-powershell-1.0
Powershell JEA - WMI Queries
Hi, I'm looking at using PowerShell JEA to run some WMI queries aimed at monitoring servers. Is this possible? An example of the query is below. The objective is to prevent the service account used by the monitoring application from having local administrator access. SELECT Name,VolumeName,FileSystem from Win32_LogicalDisk WHERE DriveType='3' SELECT Name from Win32_PerfRawData_PerfDisk_LogicalDisk SELECT Name from Win32_PerfRawData_PerfDisk_PhysicalDisk
PowerShell Script Failing with Auth Header and 500 Internal Server Error for REST API
Hi everyone, I'm encountering multiple issues with the PowerShell script that interacts with a REST API to execute batch jobs in FDMEE. The script is supposed to send an HTTP request with a Basic Authorization header, but I'm facing the following problems: "Invalid or Missing Authorization Header" Error: When I visit the API URL directly in the browser, I get: { "links": [], "status": 9, "details": "EPMFDM-ERROR: Invalid or Missing Authorization Header in request" } 2."Internal Server Error (500)": When running the script, it often goes to the catch block and displays a 500 Internal Server Error. Here's the error message I receive in PowerShell: PS>TerminatingError(Invoke-RestMethod): "Request failed." Error encountered in PowerShell Script. Here is the script I'm using: #HTTP Basic Authorization. Contains encrypted username and password encoded to base64 string. $headers = @{Authorization = 'Basic encryptedpassword';} # Set parameter values $jobName = $args[0] $uri = http://server.comm.iocs.address.com:0000/aif/rest/V1/jobs # Monitor status of current batch run Write-Output "Checking Job Status..." Start-Sleep -Seconds 5 $restResponse = Invoke-RestMethod -Uri $uri -Method Get -Headers $headers -ContentType "application/json" $lastJobID = $restResponse.items[0].jobID $payload = @{ jobType = "BATCH" jobName = $jobName } | ConvertTo-Json # Establish REST connection and execute batch job using REST API $restResponse = Invoke-RestMethod -Uri $uri -Method Post -Body $payload -Headers $headers -ContentType "application/json" $uri = $restResponse.links[0].href # Display initial status of batch Write-Output "See below status of batch run..." $restResponse = Invoke-RestMethod -Uri $uri -Method Get -Headers $headers -ContentType "application/json" $currentJobID = $restResponse.jobID Write-Output "Last Job ID: $lastJobID" Write-Output "Current Job ID: $currentJobID" } catch { Write-Output "Error encountered in PowerShell Script.." Write-Output $_.Exception.Message if ($_.InvocationInfo) { Write-Output "Error in script: $($_.InvocationInfo.ScriptName)" Write-Output "Error on line: $($_.InvocationInfo.ScriptLineNumber)" Write-Output "Error in command: $($_.InvocationInfo.Line)" } if ($_.Exception.Response) { Write-Output "HTTP Status Code: $($_.Exception.Response.StatusCode.Value__)" Write-Output "Status Description: $($_.Exception.Response.StatusDescription)" Write-Output "Response Content: $($_.Exception.Response.Content)" } exit 1 } Despite my efforts, the request still fails with the "Invalid or Missing Authorization Header" error and occasionally hits a 500 Internal Server Error. Here are the steps I've taken to debug the issues: Checked Base64 Encoding: Confirmed that the credentials are correctly encoded in Base64. Verified Header Format: Ensured that the Authorization header is correctly formed and included in the request. Tested with Postman: Manually tested the API request with Postman using the same Authorization header, and I'm getting the same header authorization error. Added Detailed Error Logging: Included more detailed error logging in the catch block to capture HTTP status codes and response content. I'm looking for advice on what might be causing these issues in the PowerShell script and how I can resolve them. Any insights or suggestions would be greatly appreciated!
Need advise on the below powershell script to deploy on intune devices
Hi Champs, Not sure if below script is correct. Looks like it is working if we run powershell as administrator but otherwise throwing errors. I want to deploy below script to endpoint devices via intune. Please assist. I want to set the below location path at word, options, save, Default personal templates location ForEach ($user in (Get-ChildItem "C:\Users" -Exclude Public)) { $location = "C:\Users\$($user.Name)\Documents\Custom Office Templates" $IsPresent = Get-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Office\16.0\Word\Options' | ForEach-Object {If($_ -like '*PersonalTemplates*'){ Return 'True' }} if(-Not($IsPresent -eq 'True')) { New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Office\16.0\Word\Options' -Name 'PersonalTemplates' -Value $location -PropertyType ExpandString -Force New-Item -ItemType Directory -Force -Path $location } $existingValue= Get-ItemPropertyValue -Path 'HKCU:\SOFTWARE\Microsoft\Office\16.0\Word\Options' -Name 'PersonalTemplates' if([string]::IsNullOrWhiteSpace($existingValue)){ Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Office\16.0\Word\Options' -Name 'PersonalTemplates' -Value $location } else{ $location=$existingValue if(!(test-path $existingValue)) { New-Item -ItemType Directory -Force -Path $existingValue } } } Regards, RamSet-ACL "Attempted to Perform an Unauthorized Operation"
Hi Folks, I'm currently working on automating security changes on Azure File Shares. As part of this process, I'd like to use Get-ACL and Set-ACL as the easiest ways to copy over a base set of permissions - icacls doesn't have as good functionality for this as it only allows restoring permissions to a file of the same name. However, whenever I use Set-ACL, I immediately get: Set-Acl : Attempted to perform an unauthorized operation. At line:1 char:55 + ... ath | Set-Acl -Path $concatPath + ~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: () [Set-Acl], UnauthorizedAccessException + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand As a note I have removed path names. The account I'm using is a domain admin and has NTFS permission to the file. It can edit these permissions using the GUI with no issues. It also has an Elevated Contributor role in Azure AD, so it should be able to edit these ACLs. I've also tried the NTFSSecurity module, which has the same issues. Similarly, I have tried to mount the fileshare to a drive with New-PSDrive, in case that helped, but no luck there either. I'm pretty out of ideas here, and icacls will require a lot more logic work to strip back the inherited permissions to what I want them to be. If anyone has any other ideas, I'd love to hear them. Thanks in advance!How save the img from "[void][Reflection.Assembly] ....... "
Hello, pls how i save the image from ..... the scripte: [void][Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") [void][Reflection.Assembly]::LoadWithPartialName("System.Drawing") $frmMain = New-Object Windows.Forms.Form $xString = @(` ) $imageBytes = [System.Convert]::FromBase64String($xString) $ms = [System.IO.MemoryStream]::new($imageBytes, 0, $imageBytes.Length) $ms.Write($imageBytes, 0, $imageBytes.Length) $pic = [System.Drawing.Image]::FromStream($ms, $true) $picArea = New-Object Windows.Forms.PictureBox $picArea.Dock = "Fill" $picArea.Image = $pic $picArea.SizeMode = "StretchImage" $frmMain.Controls.AddRange(@($picArea)) [void]$frmMain.ShowDialog() Thank for your help Arnold
